Windows Defender uses all available CPU and renders Windows Server 2022 unusable

Question

Windows Defender uses all available CPU and renders Windows Server 2022 unusable

Stephen P 101

I am running a Windows Server 2022 virtual server under Azure.

Edition Windows Server 2022 Datacenter Azure Edition

Version 21H2

Installed on ‎20/‎11/‎2021

OS build 20348.1726

For the last few days it has, from time to time, become almost unusable. It seems that the Antimalware Service Executable is consuming all available CPU, rendering the computer unresponsive and I/O operations becoming incredibly slow. The system is up to date. Troubleshooting is almost impossible because the performance is so dire. For example, the estimated time to unzip a 200MByte zip (expanding to 800MBytes) file is four hours!

I have already tried the tricks of setting the scans to nightly at midnight and excluding the MsMpEng.exe process from scanning (but the exclusion won't remain; Azure takes it away again).

In addition, the Event Log shows this error occurs frequently:

Session "SenseIRTraceLogger" failed to start with the following error: 0xC0000035

This is related, I think, to Windows Defender Advanced Threat Protection. It gives the following error frequently:

The Windows Defender Advanced Threat Protection Service service terminated unexpectedly. It has done this 95 time(s). The following corrective action will be taken in 300000 milliseconds: Restart the service.

Could the two be related?

I have found that rebooting the server gives a bit of respite, but then the issue recurs.

As I said, I thought I had done what others have suggested, but to no avail. I'm reluctant to disable Windows Defender, but maybe I should look for another antivirus product?

1 answer

Your answer

Answer 1

Limitless Technology 44,751

Hello Stephen,

Thank you for your question and for reaching out with your question today.

If I were in your situation, I would temporarily disable Defender in order to verify that the issue is being caused by Defender. If this is verified, then I would try updating the system with all the latest updates and fixes to see if that resolves the issue. if not, try flushing your IP and DNS Caches. Open a admin CMD prompt and do the following:

Input the commands below in the following order, pressing the Enter key on your keyboard after each line:

ipconfig /flushdns

ipconfig /registerdns

ipconfig /renew

ipconfig /release

The following Microsoft guide may also be of use:

https://learn.microsoft.com/microsoft-365/security/defender-endpoint/enable-update-mdav-to-latest-ws?view=o365-worldwide

If the reply was helpful, please don’t forget to upvote or accept as answer.

Stephen P 101 Reputation points

2023-05-18T11:18:21.3266667+00:00

I thought about disabling Defender, but I'm not sure the Azure environment will let me. What is interesting is that there is a case of 'now you see it, now you don't', as the problem seems to come and go a bit at random.
Larry Silverman 27 Reputation points

2023-05-24T18:31:15.13+00:00

Landed here because I'm fighting the same thing. No progress yet except to consider completely disabling Windows Defender Advanced Threat Protection because it's such a dog.

I had to sign in to comment on the absurdity of the suggestion offered by "Limitless Technology".

We're talking about VMs in Azure. If you execute an "ipconfig /release", your NIC is going to drop its network. THEN WHAT?

Not to mention the fact that this person got the order of operations backward. If you were on the console of a server (where you would not be kicked off by releasing the NIC config), then you'd do the release before the renew.

Just ridiculous advice.
Stephen P 101 Reputation points

2023-05-26T18:53:47.81+00:00

I still haven't worked out how you disable Windows Defender in Azure - it seems some things are 'baked in'. I tried disabling Real Time Protection, but it didn't seem to make any difference. What is strange, however, is that the issue is intermittent, now you see it, now you don't.
Dalton Reeves 136 Reputation points

2023-09-22T19:48:36.7766667+00:00

@Stephen P did you make any progress? Ive got a 2022 Azure Edition server with all typical methods of disabling Windows Defender as that stupid ATP process and that POS is STILL tanking the CPU. I don't even know what its scanning because its all turned off, all schedules nuked, all gpo tells it to quit, omitted the process, omitted ALL the drives.
Stephen P 101 Reputation points

2023-09-25T09:46:07.7433333+00:00

Not much progress, I'm afraid. It seems when we are doing heavy I/O activity such as backing up a folder Windows Defender hogs the CPU. I'm planning to see if excluding a folder I am backing up from Windows Defender before starting the backup will make any difference.
Stephen P 101 Reputation points

2023-09-25T09:47:47.0266667+00:00

Not much progress, I'm afraid. It seems when we are doing heavy I/O activity such as backing up a folder Windows Defender hogs the CPU. I'm planning to see if excluding a folder I am backing up from Windows Defender before starting the backup will make any difference.
Dalton Reeves 136 Reputation points

2023-09-25T12:02:14.4+00:00

Do you have your server connect to Microsoft Defender 365 Endpoint? Or whatever stupid name it is. I've omitted every drive, and both Defender processes and nothing worked. But I can across a ms tech community forum that suggested offboarding the device, rebooting, then reonboarding. Supposedly it's a bug. I'm testing this currently.

Share via

Windows Defender uses all available CPU and renders Windows Server 2022 unusable

1 answer

Your answer